{"id":215,"date":"2025-12-19T11:41:37","date_gmt":"2025-12-19T11:41:37","guid":{"rendered":"https:\/\/blog.ibvl.in\/index.php\/2025\/12\/19\/dlls-tls-callbacks-fri-dec-19th\/"},"modified":"2025-12-19T11:41:37","modified_gmt":"2025-12-19T11:41:37","slug":"dlls-tls-callbacks-fri-dec-19th","status":"publish","type":"post","link":"https:\/\/blog.ibvl.in\/index.php\/2025\/12\/19\/dlls-tls-callbacks-fri-dec-19th\/","title":{"rendered":"DLLs &amp; TLS Callbacks, (Fri, Dec 19th)"},"content":{"rendered":"<div>\n<p>Xavier&#8217;s diary entry &#8220;<a href=\"https:\/\/isc.sans.edu\/diary\/Abusing+DLLs+EntryPoint+for+the+Fun\/32562\/\">Abusing DLLs EntryPoint for the Fun<\/a>&#8221; inspired me to do some tests with TLS Callbacks and DLLs.<\/p>\n<p>TLS stands for Thread Local Storage. TLS Callbacks are an\u00a0execution mechanism in Windows PE files that lets code run automatically when a process or thread starts, before the program\u2019s normal entry point is reached. I&#8217;ve done tests in the past with EXEs and TLS Callbacks, but never with DLLs.<\/p>\n<p>In Windows, TLS is used to give each thread its own copy of certain variables. To support this, the PE format has a TLS directory (IMAGE_TLS_DIRECTORY) that describes:<\/p>\n<ul>\n<li>Where TLS data is stored<\/li>\n<li>How large it is<\/li>\n<li>A list of callback functions<\/li>\n<\/ul>\n<p>My <a href=\"https:\/\/github.com\/DidierStevens\/DidierStevensSuite\/blob\/master\/pecheck.py\">pecheck.py<\/a> tool lists TLS callbacks:<\/p>\n<p><img decoding=\"async\" alt=\"\" src=\"https:\/\/isc.sans.edu\/diaryimages\/images\/20251217-193116.png\" style=\"width: 993px; height: 527px;\"><\/p>\n<p>I used the following code for a DLL with a TLS callback:<\/p>\n<pre>\n<code class=\"language-cpp\">#include &lt;windows.h&gt;\n\n\/\/ Declare TLS callback section\n#pragma section(\".CRT$XLB\", read)\n\n\/\/ TLS callback function\nvoid NTAPI MyTlsCallback(PVOID hModule, DWORD dwReason, PVOID pReserved)\n{\n    if (dwReason == DLL_PROCESS_ATTACH)\n    {\n        MessageBoxA(NULL, \"TLS Callback fired\", \"TLS\", MB_OK);\n    }\n}\n\n\/\/ Force linker to include TLS directory symbol\n#ifdef _WIN64\n#pragma comment(linker, \"\/INCLUDE:_tls_used\")\n#pragma comment(linker, \"\/INCLUDE:tls_callback_func\")\n#else\n#pragma comment(linker, \"\/INCLUDE:__tls_used\")\n#pragma comment(linker, \"\/INCLUDE:_tls_callback_func\")\n#endif\n\n\/\/ Place pointer in TLS callback section (extern \"C\" prevents mangling)\nextern \"C\" __declspec(allocate(\".CRT$XLB\"))\nPIMAGE_TLS_CALLBACK tls_callback_func = MyTlsCallback;\n\n\/\/ Standard DllMain\nBOOL APIENTRY DllMain(HMODULE hModule, DWORD ul_reason_for_call, LPVOID lpReserved)\n{\n    if (ul_reason_for_call == DLL_PROCESS_ATTACH)\n        MessageBoxA(NULL, \"DllMain fired\", \"DllMain\", MB_OK);\n    return TRUE;\n}\n<\/code><\/pre>\n<p>And compiled it with Visual Studio C++:<\/p>\n<pre>\n<code class=\"language-bash\">cl \/nologo \/EHsc \/LD tls_dll.cpp user32.lib<\/code><\/pre>\n<p>I used rundll32 to load the DLL.<\/p>\n<p>The callback function got executed:<\/p>\n<p><img decoding=\"async\" alt=\"\" src=\"https:\/\/isc.sans.edu\/diaryimages\/images\/20251217-193545.png\" style=\"width: 607px; height: 325px;\"><\/p>\n<p>before the DllMain function:<\/p>\n<p><img decoding=\"async\" alt=\"\" src=\"https:\/\/isc.sans.edu\/diaryimages\/images\/20251217-193611.png\" style=\"width: 551px; height: 311px;\"><\/p>\n<p>This is something to take into account when performing static analysis: next to looking at DllMain and exported functions, look also at TLS callbacks (if any).<\/p>\n<p>And it&#8217;s also important when performing dynamic analysis: when using a debugger, make sure to check how it is configured:<\/p>\n<p><img decoding=\"async\" alt=\"\" src=\"https:\/\/isc.sans.edu\/diaryimages\/images\/20251217-194453.png\" style=\"width: 447px; height: 591px;\"><\/p>\n<p>This debugger is configured to break on TLS callbacks: thus these callbacks will not execute\u00a0unbeknownst to you.<\/p>\n<p>\u00a0<\/p>\n<p>Didier Stevens<br \/>\nSenior handler<br \/>\n<a href=\"http:\/\/blog.didierstevens.com\/\">blog.DidierStevens.com<\/a><\/p>\n<p> (c) SANS Internet Storm Center. https:\/\/isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.<\/p><\/div>\n","protected":false},"excerpt":{"rendered":"<p>Xavier&#8217;s diary entry &#8220;Abusing DLLs EntryPoint for the Fun&#8221; inspired me to do some tests with TLS Callbacks and DLLs. TLS stands for Thread Local Storage. TLS Callbacks are an\u00a0execution mechanism in Windows PE files that lets code run automatically when a process or thread starts, before the program\u2019s normal entry point is reached. I&#8217;ve [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"site-container-style":"default","site-container-layout":"default","site-sidebar-layout":"default","disable-article-header":"default","disable-site-header":"default","disable-site-footer":"default","disable-content-area-spacing":"default","footnotes":""},"categories":[90],"tags":[91],"class_list":["post-215","post","type-post","status-publish","format-standard","hentry","category-cybersecurity","tag-cybersecurity"],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v26.7 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>DLLs &amp; TLS Callbacks, (Fri, Dec 19th) - Imperative Business Ventures Limited<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/blog.ibvl.in\/index.php\/2025\/12\/19\/dlls-tls-callbacks-fri-dec-19th\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"DLLs &amp; TLS Callbacks, (Fri, Dec 19th) - Imperative Business Ventures Limited\" \/>\n<meta property=\"og:description\" content=\"Xavier&#8217;s diary entry &#8220;Abusing DLLs EntryPoint for the Fun&#8221; inspired me to do some tests with TLS Callbacks and DLLs. TLS stands for Thread Local Storage. TLS Callbacks are an\u00a0execution mechanism in Windows PE files that lets code run automatically when a process or thread starts, before the program\u2019s normal entry point is reached. I&#8217;ve [&hellip;]\" \/>\n<meta property=\"og:url\" content=\"https:\/\/blog.ibvl.in\/index.php\/2025\/12\/19\/dlls-tls-callbacks-fri-dec-19th\/\" \/>\n<meta property=\"og:site_name\" content=\"Imperative Business Ventures Limited\" \/>\n<meta property=\"article:published_time\" content=\"2025-12-19T11:41:37+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/isc.sans.edu\/diaryimages\/images\/20251217-193116.png\" \/>\n<meta name=\"author\" content=\"admin\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"admin\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"2 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/blog.ibvl.in\/index.php\/2025\/12\/19\/dlls-tls-callbacks-fri-dec-19th\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/blog.ibvl.in\/index.php\/2025\/12\/19\/dlls-tls-callbacks-fri-dec-19th\/\"},\"author\":{\"name\":\"admin\",\"@id\":\"https:\/\/blog.ibvl.in\/#\/schema\/person\/55b87b72a56b1bbe9295fe5ef7a20b02\"},\"headline\":\"DLLs &amp; TLS Callbacks, (Fri, Dec 19th)\",\"datePublished\":\"2025-12-19T11:41:37+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/blog.ibvl.in\/index.php\/2025\/12\/19\/dlls-tls-callbacks-fri-dec-19th\/\"},\"wordCount\":253,\"image\":{\"@id\":\"https:\/\/blog.ibvl.in\/index.php\/2025\/12\/19\/dlls-tls-callbacks-fri-dec-19th\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/isc.sans.edu\/diaryimages\/images\/20251217-193116.png\",\"keywords\":[\"Cybersecurity\"],\"articleSection\":[\"Cybersecurity\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/blog.ibvl.in\/index.php\/2025\/12\/19\/dlls-tls-callbacks-fri-dec-19th\/\",\"url\":\"https:\/\/blog.ibvl.in\/index.php\/2025\/12\/19\/dlls-tls-callbacks-fri-dec-19th\/\",\"name\":\"DLLs &amp; TLS Callbacks, (Fri, Dec 19th) - Imperative Business Ventures Limited\",\"isPartOf\":{\"@id\":\"https:\/\/blog.ibvl.in\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/blog.ibvl.in\/index.php\/2025\/12\/19\/dlls-tls-callbacks-fri-dec-19th\/#primaryimage\"},\"image\":{\"@id\":\"https:\/\/blog.ibvl.in\/index.php\/2025\/12\/19\/dlls-tls-callbacks-fri-dec-19th\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/isc.sans.edu\/diaryimages\/images\/20251217-193116.png\",\"datePublished\":\"2025-12-19T11:41:37+00:00\",\"author\":{\"@id\":\"https:\/\/blog.ibvl.in\/#\/schema\/person\/55b87b72a56b1bbe9295fe5ef7a20b02\"},\"breadcrumb\":{\"@id\":\"https:\/\/blog.ibvl.in\/index.php\/2025\/12\/19\/dlls-tls-callbacks-fri-dec-19th\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/blog.ibvl.in\/index.php\/2025\/12\/19\/dlls-tls-callbacks-fri-dec-19th\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/blog.ibvl.in\/index.php\/2025\/12\/19\/dlls-tls-callbacks-fri-dec-19th\/#primaryimage\",\"url\":\"https:\/\/isc.sans.edu\/diaryimages\/images\/20251217-193116.png\",\"contentUrl\":\"https:\/\/isc.sans.edu\/diaryimages\/images\/20251217-193116.png\"},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/blog.ibvl.in\/index.php\/2025\/12\/19\/dlls-tls-callbacks-fri-dec-19th\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/blog.ibvl.in\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"DLLs &amp; TLS Callbacks, (Fri, Dec 19th)\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/blog.ibvl.in\/#website\",\"url\":\"https:\/\/blog.ibvl.in\/\",\"name\":\"Imperative Business Ventures Limited\",\"description\":\"\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/blog.ibvl.in\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Person\",\"@id\":\"https:\/\/blog.ibvl.in\/#\/schema\/person\/55b87b72a56b1bbe9295fe5ef7a20b02\",\"name\":\"admin\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/blog.ibvl.in\/#\/schema\/person\/image\/\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/4d20b2cd313e4417a599678e950e6fb7d4dfa178a72f2b769335a08aaa615aa9?s=96&d=mm&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/4d20b2cd313e4417a599678e950e6fb7d4dfa178a72f2b769335a08aaa615aa9?s=96&d=mm&r=g\",\"caption\":\"admin\"},\"sameAs\":[\"https:\/\/blog.ibvl.in\"],\"url\":\"https:\/\/blog.ibvl.in\/index.php\/author\/admin_hcbs9yw6\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"DLLs &amp; TLS Callbacks, (Fri, Dec 19th) - Imperative Business Ventures Limited","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/blog.ibvl.in\/index.php\/2025\/12\/19\/dlls-tls-callbacks-fri-dec-19th\/","og_locale":"en_US","og_type":"article","og_title":"DLLs &amp; TLS Callbacks, (Fri, Dec 19th) - Imperative Business Ventures Limited","og_description":"Xavier&#8217;s diary entry &#8220;Abusing DLLs EntryPoint for the Fun&#8221; inspired me to do some tests with TLS Callbacks and DLLs. TLS stands for Thread Local Storage. TLS Callbacks are an\u00a0execution mechanism in Windows PE files that lets code run automatically when a process or thread starts, before the program\u2019s normal entry point is reached. I&#8217;ve [&hellip;]","og_url":"https:\/\/blog.ibvl.in\/index.php\/2025\/12\/19\/dlls-tls-callbacks-fri-dec-19th\/","og_site_name":"Imperative Business Ventures Limited","article_published_time":"2025-12-19T11:41:37+00:00","og_image":[{"url":"https:\/\/isc.sans.edu\/diaryimages\/images\/20251217-193116.png","type":"","width":"","height":""}],"author":"admin","twitter_card":"summary_large_image","twitter_misc":{"Written by":"admin","Est. reading time":"2 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/blog.ibvl.in\/index.php\/2025\/12\/19\/dlls-tls-callbacks-fri-dec-19th\/#article","isPartOf":{"@id":"https:\/\/blog.ibvl.in\/index.php\/2025\/12\/19\/dlls-tls-callbacks-fri-dec-19th\/"},"author":{"name":"admin","@id":"https:\/\/blog.ibvl.in\/#\/schema\/person\/55b87b72a56b1bbe9295fe5ef7a20b02"},"headline":"DLLs &amp; TLS Callbacks, (Fri, Dec 19th)","datePublished":"2025-12-19T11:41:37+00:00","mainEntityOfPage":{"@id":"https:\/\/blog.ibvl.in\/index.php\/2025\/12\/19\/dlls-tls-callbacks-fri-dec-19th\/"},"wordCount":253,"image":{"@id":"https:\/\/blog.ibvl.in\/index.php\/2025\/12\/19\/dlls-tls-callbacks-fri-dec-19th\/#primaryimage"},"thumbnailUrl":"https:\/\/isc.sans.edu\/diaryimages\/images\/20251217-193116.png","keywords":["Cybersecurity"],"articleSection":["Cybersecurity"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/blog.ibvl.in\/index.php\/2025\/12\/19\/dlls-tls-callbacks-fri-dec-19th\/","url":"https:\/\/blog.ibvl.in\/index.php\/2025\/12\/19\/dlls-tls-callbacks-fri-dec-19th\/","name":"DLLs &amp; TLS Callbacks, (Fri, Dec 19th) - Imperative Business Ventures Limited","isPartOf":{"@id":"https:\/\/blog.ibvl.in\/#website"},"primaryImageOfPage":{"@id":"https:\/\/blog.ibvl.in\/index.php\/2025\/12\/19\/dlls-tls-callbacks-fri-dec-19th\/#primaryimage"},"image":{"@id":"https:\/\/blog.ibvl.in\/index.php\/2025\/12\/19\/dlls-tls-callbacks-fri-dec-19th\/#primaryimage"},"thumbnailUrl":"https:\/\/isc.sans.edu\/diaryimages\/images\/20251217-193116.png","datePublished":"2025-12-19T11:41:37+00:00","author":{"@id":"https:\/\/blog.ibvl.in\/#\/schema\/person\/55b87b72a56b1bbe9295fe5ef7a20b02"},"breadcrumb":{"@id":"https:\/\/blog.ibvl.in\/index.php\/2025\/12\/19\/dlls-tls-callbacks-fri-dec-19th\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/blog.ibvl.in\/index.php\/2025\/12\/19\/dlls-tls-callbacks-fri-dec-19th\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/blog.ibvl.in\/index.php\/2025\/12\/19\/dlls-tls-callbacks-fri-dec-19th\/#primaryimage","url":"https:\/\/isc.sans.edu\/diaryimages\/images\/20251217-193116.png","contentUrl":"https:\/\/isc.sans.edu\/diaryimages\/images\/20251217-193116.png"},{"@type":"BreadcrumbList","@id":"https:\/\/blog.ibvl.in\/index.php\/2025\/12\/19\/dlls-tls-callbacks-fri-dec-19th\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/blog.ibvl.in\/"},{"@type":"ListItem","position":2,"name":"DLLs &amp; TLS Callbacks, (Fri, Dec 19th)"}]},{"@type":"WebSite","@id":"https:\/\/blog.ibvl.in\/#website","url":"https:\/\/blog.ibvl.in\/","name":"Imperative Business Ventures Limited","description":"","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/blog.ibvl.in\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Person","@id":"https:\/\/blog.ibvl.in\/#\/schema\/person\/55b87b72a56b1bbe9295fe5ef7a20b02","name":"admin","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/blog.ibvl.in\/#\/schema\/person\/image\/","url":"https:\/\/secure.gravatar.com\/avatar\/4d20b2cd313e4417a599678e950e6fb7d4dfa178a72f2b769335a08aaa615aa9?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/4d20b2cd313e4417a599678e950e6fb7d4dfa178a72f2b769335a08aaa615aa9?s=96&d=mm&r=g","caption":"admin"},"sameAs":["https:\/\/blog.ibvl.in"],"url":"https:\/\/blog.ibvl.in\/index.php\/author\/admin_hcbs9yw6\/"}]}},"_links":{"self":[{"href":"https:\/\/blog.ibvl.in\/index.php\/wp-json\/wp\/v2\/posts\/215","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/blog.ibvl.in\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blog.ibvl.in\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blog.ibvl.in\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/blog.ibvl.in\/index.php\/wp-json\/wp\/v2\/comments?post=215"}],"version-history":[{"count":0,"href":"https:\/\/blog.ibvl.in\/index.php\/wp-json\/wp\/v2\/posts\/215\/revisions"}],"wp:attachment":[{"href":"https:\/\/blog.ibvl.in\/index.php\/wp-json\/wp\/v2\/media?parent=215"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blog.ibvl.in\/index.php\/wp-json\/wp\/v2\/categories?post=215"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blog.ibvl.in\/index.php\/wp-json\/wp\/v2\/tags?post=215"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}